The attackers are highly sophisticated, according to the firm, which speculates a nation-state may be behind the malware.

"The attackers are really professionals," Jaime Blasco, director of
AlienVault Labs, told TechNewsWorld. "They were able to anticipate Kaspersky's public disclosure, and they shut down all the infrastructure within four hours of Kaspersky's publishing a short press release announcing the discovery of the Mask."

What Makes Up the Mask

The Mask consists of a rootkit and a bootkit, Kaspersky says.

There are 32-bit and 64-bit Windows versions, as well as versions for OS X and Linux.

Careto "used exploits for iOS and also Chrome, which previously only had few known vulnerabilities," he pointed out. "The cost to develop such attacks is pretty high. One has to have very deep pockets to make this attack real."

Detection is difficult, because "malware like this has the ability to morph based on its environment," Ken Westin, security researcher for
Tripwire, told TechNewsWorld. "It can sniff out what is on the systems and network, and send data to a remote server where it can receive specific exploit code for the targeted system."

Further, malware can constantly change when downloaded to new systems, so its signature is never the same, Westin said.

The Things Mask Does

Mask uses a customized attack against older versions of Kaspersky Lab products to hide in the system.

It's likely that the Nokia phones were specifically included because the attacker "must have previously known that their victims used Nokia mobile devices, so they had to make something 100 percent effective and running on this platform," Kaspersky's Bestuzhev said.

Mask collects encryption keys, VPN configurations,
SSH keys; and
RDP files. It has several extensions that Kaspersky has not yet identified.

"After reading the paper, [I believe] it is indeed the most complex piece of malware ever discovered," Sorin Mustaca, an IT security expert at
Avira, told TechNewsWorld.

How the Malware Attacks

Infected visitors later are redirected to a benign website, which could be a YouTube movie or a news portal.

Some malicious websites have subdomains simulating subsections of the main newspapers in Spain, as well as The Guardian and The Washington Post, in order to look genuine.

Mask leverages three separate backdoors. Careto, is a general purpose backdoor that collects system information and executes arbitrary code provided by the C&C servers. Another, called "SGH," works in kernel mode. It contains rootkit components and interceptor modules, steals files, and maintains its own connection to C&C servers.

The third is a custom compiled backdoor based on the
sbd open source netcat clone that is available in Win32, OS X and Linux variants, notes Kaspersky.

To minimize the chances of detection, the malware is signed digitally with a valid certificate from an obscure company called "TecSystem Ltd.," reports Kaspersky.

Who's Behind the Mask?

A nation-state may have authored the Mask, Kaspersky suggests.

The Mask "sounds and looks like a big project that required a lot of time, money and resources to accomplish," Philip Lieberman, president and CEO of
Lieberman Software, told TechNewsWorld.

"The operation of the command and control [servers] appears to be professional," Lieberman continued. "The project appears to be run like a business with funding, technology and proper operations."

However, it might be too soon to point the finger at a nation-state, cautioned Tripwire's Westin.

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on
Google+.